On this page

How To Secure Your Ubuntu 10.10 Desktop With LinOTP 2

This howto will guide you to set up a LinOTP
standalone one time password authentication
backend on your Linux machine. This enables you to add two factor authentication with one
time passwords
to your desktop login.

LinOTP is a modular OTP (one time password) solution, that supports many different
OTP tokens. LinOTP is written in python, based on pylons and apache. It comes as open source
licensed under the AGPLv3. Additional functionalities,
maintenance and support can be licensed in an Enterprise Edition.

This howto should run on Ubuntu 10.10 and Debian Squeeze.

Prerequisites

You can either download the necessary packages from
the LinOTP website
or you can add the online repository to your repositories and install them with apt-get.

This Howto will use the second way to install the software.

Configure the online repository

First you need to add the GPG key, that was used to sign the packages:

Do you want to run LinOTP 2 via Apache2?
-> Yes
Enter admin password for the new LinOTP admin account.
-> think of one
Do you want to create a self signed ceritficate?
-> Yes
What SQL database do you want to use for the token database?
-> Mysql
database hostname:
-> localhost
Name of Token database
-> LinOTP2
database user
-> linotp2
database users password:
-> think of one
Enter MySQL root password
Do you want to create the tables:
-> yes

During the installation the encryption key /etc/linotp2/encKey will
be created.
Be sure to also enter the MySQL root password, so the database will be created, too.

Now you got two possibilities to manage the LinOTP server and OTP tokens.
You can either use the command line client linotpadmin.py or the web
interface located at

https://localhost/manage

Please note: If you got and "internal server error" take a
look at /var/log/apache2/error.log.
It could be, that the access rights of the directory /var/log/linotp
are not right.
Also the whole directory /etc/linotp2 needs to be owned
by the user linotp.

Configuration of the UserIdResolver

LinOTP reads users by so called UserIdResolvers. The APGLv3 version comes with
the PasswdUserIdResolver, that can be used to read users from flat files like the
/etc/passwd. You can also create a new file that contains the users,
as long as
you stick to the passwd format.

The Enterprise Edition also provides Resolvers for users located in LDAP and SQL databases.

You may use the management web ui or the command line client to setup your LinOTP server. You need to configure a UserIdResolver and a default realm.
You may do this by issuing the following commands:

You should see the list of your users. Now you are ready to assign tokens to your user.

Enroll OTP Token

You may want to enroll an OTP token, now.
In this example we enroll an motp token (you could also enroll an OATH Token or a
Google authenticator) on our mobile phone.
Download the app from http://motp.sourceforge.net
and install it on your phone. You may initialize the token by entering 0000 as PIN
on the phone. An init-secret will be displayed.

This means, that you generated an mOTP token that gets assigned to the user "cornelius". The otpkey is the init-secret that was displayed on your phone. You may choose a serial (serial number) as you like to.
The otppin is the PIN you will enter on the phone to generate an otp value.

Optionally you may set an OTP PIN, which is a fixed password part,
that you need to enter in front (depending on the parameter PrependPIN) of the OTP value:

Alternatively you can use the management web interface, to enroll the token.

Now you are ready to generate your first OTP value! Go to the portal site:

https://localhost/auth/index

and enter your username and as password the OTP PIN you set and the
otp value you generated with your phone. If you fail to authenticate,
you might mistyped the init secret or the time of your phone might be out of sync.

Authenticate via PAM

Now we will setup PAM to enable you to authenticate to your desktop.
The security module /lib/security/pam_linotp.so was installed
to your system. You may now set up otp authentication. We choose to do it modular:

Please note, that when using "debug" option, many many information - also the password! -
will be written to the auth.log.

You may now use the common-linotp in any
PAM configuration instead of common-auth, where you like to.
I.e. you may change the line in /etc/pam.d/gdm:

@include common-auth

to

@include common-linotp

Now you will need to authenticate with OTP to your Gnome desktop!
Note that you will also need to change /etc/pam.d/gnome-screensaver
if you also want to unlock the desktop using OTP.
You will not be asked for "Password" anymore but for "Your OTP".

If you fail to authenticate you may also take a look into /var/log/auth.log.